Maintained by: NLnet Labs

[Unbound-users] Signed .de zone - temporary validation errors

Bernhard Schmidt
Wed Mar 31 15:55:49 CEST 2010


On 31.03.2010 15:43, Paul Wouters wrote:
> On Wed, 31 Mar 2010, Bernhard Schmidt wrote:
>
>> It occasionally happens after about one to two weeks of uptime that I
>> cannot query any .de domain anymore. All of the sudden the log is full
>> of validation errors
>
>> Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust
>> anchor -- DNSKEY rrset is not secure <de. DNSKEY IN>
>> Mar 30 21:06:10 svr01 last message repeated 2 times
>> Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust
>> anchor -- could not fetch DNSKEY rrset <de. DNSKEY IN>
>> Mar 30 21:06:10 svr01 last message repeated 2 times
>>
>> The process has been running untouched since March 21st.
>>
>> I raised this on the DENIC ml. Peter Koch told me that he sees queries
>> from my IP address without the OPT-RR (so no EDNS and no DO) during
>> that timeframe. Which would of course mean that Unbound would not get
>> any DNSSEC records, so complaining is a good plan indeed.
>
> Did you check the ntp/clock settings on the machines involved?

Well, ntpd is running, shows no errors and the timestamps in the logfile 
(see above) are continous and without any (big = >5min ) jumps.

> You might need to add a lot of verbosity to get more logs out of
> unbound. Or if you still have that instance, running, use
> unbound-remote to dump the cache to a file and we might be able to
> get more information out of it.

Will do it the next time it happens.

Bernhard